07-12-2013 07:29 AM
I'm trying to setup an ACE 5.2(1) configuration so that clients from Subnets A-M get NATed to one address, and clients from subnets N-Z get NATed to another address. (This way the proxies in the serverfarm which are being balanced can request authentication for the correct subnets). All clients point to the same VIP address (required).I've set up two separate loadbalance policies to do this. However, only the first policy listed in my multi-match LOAD_BAL policy actually works.
Please see attached configuration. I think I need to re-orgnize ordering or something......Thanks!
Mike.
Solved! Go to Solution.
07-13-2013 03:18 AM
Hi,
problem is in you config, both class are pointing to same VIP and PORT, so first class will be only HIT.
try this confgiuration
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM --------for desired client source IP's
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default ------for rest of client IP's
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
and remove NAT from multi-match policy. use single class, so rest of config will be
serverfarm host PROXY_HTTP_SF
description Proxied Internet Connections
probe PROXY_HTTP_PROBE
fail-on-all
rserver ELFCPRXY1
inservice
rserver ELFCPRXY2
inservice
rserver ELFCPRXY3
inservice
class-map match-any NONAUTHENT_HTTP_VIP
3 match virtual-address 10.10.240.5 tcp eq 80
class-map type http loadbalance match-any NON_AUTHENT_CM
description Subnets from which Internet Authentication is not Required
3 match source-address 10.10.16.0 255.255.240.0
4 match source-address 10.10.32.0 255.255.240.0
5 match source-address 10.10.48.0 255.255.240.0
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
policy-map multi-match LOAD_BAL
class NONAUTHENT_HTTP_VIP
loadbalance vip inservice
loadbalance policy NON_AUTHENT_PM
loadbalance vip icmp-reply
Hope this help
07-13-2013 03:18 AM
Hi,
problem is in you config, both class are pointing to same VIP and PORT, so first class will be only HIT.
try this confgiuration
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM --------for desired client source IP's
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default ------for rest of client IP's
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
and remove NAT from multi-match policy. use single class, so rest of config will be
serverfarm host PROXY_HTTP_SF
description Proxied Internet Connections
probe PROXY_HTTP_PROBE
fail-on-all
rserver ELFCPRXY1
inservice
rserver ELFCPRXY2
inservice
rserver ELFCPRXY3
inservice
class-map match-any NONAUTHENT_HTTP_VIP
3 match virtual-address 10.10.240.5 tcp eq 80
class-map type http loadbalance match-any NON_AUTHENT_CM
description Subnets from which Internet Authentication is not Required
3 match source-address 10.10.16.0 255.255.240.0
4 match source-address 10.10.32.0 255.255.240.0
5 match source-address 10.10.48.0 255.255.240.0
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
policy-map multi-match LOAD_BAL
class NONAUTHENT_HTTP_VIP
loadbalance vip inservice
loadbalance policy NON_AUTHENT_PM
loadbalance vip icmp-reply
Hope this help
07-15-2013 09:58 AM
That helps alot- and it works as we want! THANKS!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide